The SonicWall Capture Labs Threat Research Team have come across ransomware that goes by the name GlobeImposter. It is also known as Fake Globe. GlobeImposter is distributed via a malicious spam campaign and as with all ransomware encrypts the victims files making them irrevocable without payment. Most ransomware have a built in file extension filter that will leave executable files intact. This ransomware however, encrypts executable files and renders the system unbootable as a result.

Infection Cycle:

Upon execution the Trojan makes the following changes to the filesystem and begins its file encryption process:

The page contains data on steps needed to recover files. We wrote to true_offensive@aol.com and received the following reply:

If %ALLUSERSPROFILE%\60091F9FF415A9DD5FDFF0D880249E69F883A75D0242CE20D6E6A90CC5AEAFDE already exists, the trojan ceases all operations and exits.

60091F9FF415A9DD5FDFF0D880249E69F883A75D0242CE20D6E6A90CC5AEAFDE contains the following data:

After encrypting files (including .exe files), the Trojan then performs operations to make file restoration difficult. It even clears Windows event logs and removes any saved remote desktop configurations. The following .bat file performs this task before being deleted.